

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>STS in Ceph &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="STS Lite" href="../STSLite/" />
    <link rel="prev" title="Rados 网关的数据布局" href="../layout/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Ceph 对象网关</a> &raquo;</li>
        
      <li>STS in Ceph</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/radosgw/STS.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">Data caching and CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">KMIP Integration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">STS</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#sts-rest-apis">STS REST APIs</a></li>
<li class="toctree-l3"><a class="reference internal" href="#sts-configuration">STS Configuration</a></li>
<li class="toctree-l3"><a class="reference internal" href="#examples">Examples</a></li>
<li class="toctree-l3"><a class="reference internal" href="#how-to-obtain-thumbprint-of-an-openid-connect-provider-idp">How to obtain thumbprint of an OpenID Connect Provider IDP</a></li>
<li class="toctree-l3"><a class="reference internal" href="#roles-in-rgw">Roles in RGW</a></li>
<li class="toctree-l3"><a class="reference internal" href="#openid-connect-provider-in-rgw">OpenID Connect Provider in RGW</a></li>
<li class="toctree-l3"><a class="reference internal" href="#keycloak-integration-with-radosgw">Keycloak integration with Radosgw</a></li>
<li class="toctree-l3"><a class="reference internal" href="#stslite">STSLite</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keycloak/">Keycloak</a></li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="sts-in-ceph">
<h1>STS in Ceph<a class="headerlink" href="#sts-in-ceph" title="Permalink to this headline">¶</a></h1>
<p>Secure Token Service is a web service in AWS that returns a set of temporary security credentials for authenticating federated users.
The link to official AWS documentation can be found here: <a class="reference external" href="https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html">https://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html</a>.</p>
<p>Ceph Object Gateway implements a subset of STS APIs that provide temporary credentials for identity and access management.
These temporary credentials can be used to make subsequent S3 calls which will be authenticated by the STS engine in Ceph Object Gateway.
Permissions of the temporary credentials can be further restricted via an IAM policy passed as a parameter to the STS APIs.</p>
<div class="section" id="sts-rest-apis">
<h2>STS REST APIs<a class="headerlink" href="#sts-rest-apis" title="Permalink to this headline">¶</a></h2>
<p>The following STS REST APIs have been implemented in Ceph Object Gateway:</p>
<p>1. AssumeRole: Returns a set of temporary credentials that can be used for
cross-account access. The temporary credentials will have permissions that are
allowed by both - permission policies attached with the Role and policy attached
with the AssumeRole API.</p>
<dl>
<dt>Parameters:</dt><dd><p><strong>RoleArn</strong> (String/ Required): ARN of the Role to Assume.</p>
<p><strong>RoleSessionName</strong> (String/ Required): An Identifier for the assumed role
session.</p>
<p><strong>Policy</strong> (String/ Optional): An IAM Policy in JSON format.</p>
<p><strong>DurationSeconds</strong> (Integer/ Optional): The duration in seconds of the session.
Its default value is 3600.</p>
<p><strong>ExternalId</strong> (String/ Optional): A unique Id that might be used when a role is
assumed in another account.</p>
<p><strong>SerialNumber</strong> (String/ Optional): The Id number of the MFA device associated
with the user making the AssumeRole call.</p>
<p><strong>TokenCode</strong> (String/ Optional): The value provided by the MFA device, if the
trust policy of the role being assumed requires MFA.</p>
</dd>
</dl>
<p>2. AssumeRoleWithWebIdentity: Returns a set of temporary credentials for users that
have been authenticated by a web/mobile app by an OpenID Connect /OAuth2.0 Identity Provider.
Currently Keycloak has been tested and integrated with RGW.</p>
<dl>
<dt>Parameters:</dt><dd><p><strong>RoleArn</strong> (String/ Required): ARN of the Role to Assume.</p>
<p><strong>RoleSessionName</strong> (String/ Required): An Identifier for the assumed role
session.</p>
<p><strong>Policy</strong> (String/ Optional): An IAM Policy in JSON format.</p>
<p><strong>DurationSeconds</strong> (Integer/ Optional): The duration in seconds of the session.
Its default value is 3600.</p>
<p><strong>ProviderId</strong> (String/ Optional): Fully qualified host component of the domain name
of the IDP. Valid only for OAuth2.0 tokens (not for OpenID Connect tokens).</p>
<p><strong>WebIdentityToken</strong> (String/ Required): The OpenID Connect/ OAuth2.0 token, which the
application gets in return after authenticating its user with an IDP.</p>
</dd>
</dl>
<p>Before invoking AssumeRoleWithWebIdentity, an OpenID Connect Provider entity (which the web application
authenticates with), needs to be created in RGW.</p>
<p>The trust between the IDP and the role is created by adding a condition to the role’s trust policy, which
allows access only to applications which satisfy the given condition.
All claims of the JWT are supported in the condition of the role’s trust policy.
An example of a policy that uses the ‘aud’ claim in the condition is of the form:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="sd">&#39;&#39;&#39;{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;Federated&quot;:[&quot;arn:aws:iam:::oidc-provider/&lt;URL of IDP&gt;&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRoleWithWebIdentity&quot;],&quot;Condition&quot;:{&quot;StringEquals&quot;:{&quot;&lt;URL of IDP&gt; :app_id&quot;:&quot;&lt;aud&gt;&quot;}}}]}&#39;&#39;&#39;</span>
</pre></div>
</div>
<p>The app_id in the condition above must match the ‘aud’ claim of the incoming token.</p>
<p>An example of a policy that uses the ‘sub’ claim in the condition is of the form:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="s2">&quot;{</span><span class="se">\&quot;</span><span class="s2">Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:[{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Principal</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">Federated</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">arn:aws:iam:::oidc-provider/&lt;URL of IDP&gt;</span><span class="se">\&quot;</span><span class="s2">]},</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">sts:AssumeRoleWithWebIdentity</span><span class="se">\&quot;</span><span class="s2">],</span><span class="se">\&quot;</span><span class="s2">Condition</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">StringEquals</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">&lt;URL of IDP&gt; :sub</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">&lt;sub&gt;</span><span class="se">\&quot;</span><span class="s2">\}\}\}\]\}&quot;</span>
</pre></div>
</div>
<p>Similarly, an example of a policy that uses ‘azp’ claim in the condition is of the form:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="s2">&quot;{</span><span class="se">\&quot;</span><span class="s2">Version</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">2012-10-17</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Statement</span><span class="se">\&quot;</span><span class="s2">:[{</span><span class="se">\&quot;</span><span class="s2">Effect</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">Allow</span><span class="se">\&quot;</span><span class="s2">,</span><span class="se">\&quot;</span><span class="s2">Principal</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">Federated</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">arn:aws:iam:::oidc-provider/&lt;URL of IDP&gt;</span><span class="se">\&quot;</span><span class="s2">]},</span><span class="se">\&quot;</span><span class="s2">Action</span><span class="se">\&quot;</span><span class="s2">:[</span><span class="se">\&quot;</span><span class="s2">sts:AssumeRoleWithWebIdentity</span><span class="se">\&quot;</span><span class="s2">],</span><span class="se">\&quot;</span><span class="s2">Condition</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">StringEquals</span><span class="se">\&quot;</span><span class="s2">:{</span><span class="se">\&quot;</span><span class="s2">&lt;URL of IDP&gt; :azp</span><span class="se">\&quot;</span><span class="s2">:</span><span class="se">\&quot;</span><span class="s2">&lt;azp&gt;</span><span class="se">\&quot;</span><span class="s2">\}\}\}\]\}&quot;</span>
</pre></div>
</div>
<p>A shadow user is created corresponding to every federated user. The user id is derived from the ‘sub’ field of the incoming web token.
The user is created in a separate namespace - ‘oidc’ such that the user id doesn’t clash with any other user ids in rgw. The format of the user id
is - &lt;tenant&gt;$&lt;user-namespace&gt;$&lt;sub&gt; where user-namespace is ‘oidc’ for users that authenticate with oidc providers.</p>
<p>RGW now supports Session tags that can be passed in the web token to AssumeRoleWithWebIdentity call. More information related to Session Tags can be found here
<a class="reference internal" href="../session-tags/"><span class="doc">Session tags for Attribute Based Access Control in STS</span></a>.</p>
</div>
<div class="section" id="sts-configuration">
<h2>STS Configuration<a class="headerlink" href="#sts-configuration" title="Permalink to this headline">¶</a></h2>
<p>The following configurable options have to be added for STS integration:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">client</span><span class="o">.</span><span class="n">radosgw</span><span class="o">.</span><span class="n">gateway</span><span class="p">]</span>
<span class="n">rgw</span> <span class="n">sts</span> <span class="n">key</span> <span class="o">=</span> <span class="p">{</span><span class="n">sts</span> <span class="n">key</span> <span class="k">for</span> <span class="n">encrypting</span> <span class="n">the</span> <span class="n">session</span> <span class="n">token</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">s3</span> <span class="n">auth</span> <span class="n">use</span> <span class="n">sts</span> <span class="o">=</span> <span class="n">true</span>
</pre></div>
</div>
<p>Note: By default, STS and S3 APIs co-exist in the same namespace, and both S3
and STS APIs can be accessed via the same endpoint in Ceph Object Gateway.</p>
</div>
<div class="section" id="examples">
<h2>Examples<a class="headerlink" href="#examples" title="Permalink to this headline">¶</a></h2>
<p>1. The following is an example of AssumeRole API call, which shows steps to create a role, assign a policy to it
(that allows access to S3 resources), assuming a role to get temporary credentials and accessing s3 resources using
those credentials. In this example, TESTER1 assumes a role created by TESTER, to access S3 resources owned by TESTER,
according to the permission policy attached to the role.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">boto3</span>

<span class="n">iam_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;iam&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span><span class="o">=&lt;</span><span class="n">access_key</span> <span class="n">of</span> <span class="n">TESTER</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">aws_secret_access_key</span><span class="o">=&lt;</span><span class="n">secret_key</span> <span class="n">of</span> <span class="n">TESTER</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">IAM</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span>
<span class="p">)</span>

<span class="n">policy_document</span> <span class="o">=</span> <span class="s1">&#39;&#39;&#39;{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;AWS&quot;:[&quot;arn:aws:iam:::user/TESTER1&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRole&quot;]}]}&#39;&#39;&#39;</span>

<span class="n">role_response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">create_role</span><span class="p">(</span>
<span class="n">AssumeRolePolicyDocument</span><span class="o">=</span><span class="n">policy_document</span><span class="p">,</span>
<span class="n">Path</span><span class="o">=</span><span class="s1">&#39;/&#39;</span><span class="p">,</span>
<span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
<span class="p">)</span>

<span class="n">role_policy</span> <span class="o">=</span> <span class="s1">&#39;&#39;&#39;{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Action&quot;:&quot;s3:*&quot;,&quot;Resource&quot;:&quot;arn:aws:s3:::*&quot;}}&#39;&#39;&#39;</span>

<span class="n">response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">put_role_policy</span><span class="p">(</span>
<span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
<span class="n">PolicyName</span><span class="o">=</span><span class="s1">&#39;Policy1&#39;</span><span class="p">,</span>
<span class="n">PolicyDocument</span><span class="o">=</span><span class="n">role_policy</span>
<span class="p">)</span>

<span class="n">sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;sts&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span><span class="o">=&lt;</span><span class="n">access_key</span> <span class="n">of</span> <span class="n">TESTER1</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">aws_secret_access_key</span><span class="o">=&lt;</span><span class="n">secret_key</span> <span class="n">of</span> <span class="n">TESTER1</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">STS</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">,</span>
<span class="p">)</span>

<span class="n">response</span> <span class="o">=</span> <span class="n">sts_client</span><span class="o">.</span><span class="n">assume_role</span><span class="p">(</span>
<span class="n">RoleArn</span><span class="o">=</span><span class="n">role_response</span><span class="p">[</span><span class="s1">&#39;Role&#39;</span><span class="p">][</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span>
<span class="n">RoleSessionName</span><span class="o">=</span><span class="s1">&#39;Bob&#39;</span><span class="p">,</span>
<span class="n">DurationSeconds</span><span class="o">=</span><span class="mi">3600</span>
<span class="p">)</span>

<span class="n">s3client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;s3&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;AccessKeyId&#39;</span><span class="p">],</span>
<span class="n">aws_secret_access_key</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;SecretAccessKey&#39;</span><span class="p">],</span>
<span class="n">aws_session_token</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;SessionToken&#39;</span><span class="p">],</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">S3</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">,)</span>

<span class="n">bucket_name</span> <span class="o">=</span> <span class="s1">&#39;my-bucket&#39;</span>
<span class="n">s3bucket</span> <span class="o">=</span> <span class="n">s3client</span><span class="o">.</span><span class="n">create_bucket</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">bucket_name</span><span class="p">)</span>
<span class="n">resp</span> <span class="o">=</span> <span class="n">s3client</span><span class="o">.</span><span class="n">list_buckets</span><span class="p">()</span>
</pre></div>
</div>
<p>2. The following is an example of AssumeRoleWithWebIdentity API call, where an external app that has users authenticated with
an OpenID Connect/ OAuth2 IDP (Keycloak in this example), assumes a role to get back temporary credentials and access S3 resources
according to permission policy of the role.</p>
<div class="highlight-python notranslate"><div class="highlight"><pre><span></span><span class="kn">import</span> <span class="nn">boto3</span>

<span class="n">iam_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;iam&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span><span class="o">=&lt;</span><span class="n">access_key</span> <span class="n">of</span> <span class="n">TESTER</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">aws_secret_access_key</span><span class="o">=&lt;</span><span class="n">secret_key</span> <span class="n">of</span> <span class="n">TESTER</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">IAM</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span>
<span class="p">)</span>

<span class="n">oidc_response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">create_open_id_connect_provider</span><span class="p">(</span>
    <span class="n">Url</span><span class="o">=&lt;</span><span class="n">URL</span> <span class="n">of</span> <span class="n">the</span> <span class="n">OpenID</span> <span class="n">Connect</span> <span class="n">Provider</span><span class="p">,</span>
    <span class="n">ClientIDList</span><span class="o">=</span><span class="p">[</span>
        <span class="o">&lt;</span><span class="n">Client</span> <span class="nb">id</span> <span class="n">registered</span> <span class="k">with</span> <span class="n">the</span> <span class="n">IDP</span><span class="o">&gt;</span>
    <span class="p">],</span>
    <span class="n">ThumbprintList</span><span class="o">=</span><span class="p">[</span>
        <span class="o">&lt;</span><span class="n">Thumbprint</span> <span class="n">of</span> <span class="n">the</span> <span class="n">IDP</span><span class="o">&gt;</span>
 <span class="p">]</span>
<span class="p">)</span>

<span class="n">policy_document</span> <span class="o">=</span> <span class="s1">&#39;&#39;&#39;{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:[{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Principal&quot;:{&quot;Federated&quot;:[&quot;arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/demo&quot;]},&quot;Action&quot;:[&quot;sts:AssumeRoleWithWebIdentity&quot;],&quot;Condition&quot;:{&quot;StringEquals&quot;:{&quot;localhost:8080/auth/realms/demo:app_id&quot;:&quot;customer-portal&quot;}}}]}&#39;&#39;&#39;</span>
<span class="n">role_response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">create_role</span><span class="p">(</span>
<span class="n">AssumeRolePolicyDocument</span><span class="o">=</span><span class="n">policy_document</span><span class="p">,</span>
<span class="n">Path</span><span class="o">=</span><span class="s1">&#39;/&#39;</span><span class="p">,</span>
<span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
<span class="p">)</span>

<span class="n">role_policy</span> <span class="o">=</span> <span class="s1">&#39;&#39;&#39;{&quot;Version&quot;:&quot;2012-10-17&quot;,&quot;Statement&quot;:{&quot;Effect&quot;:&quot;Allow&quot;,&quot;Action&quot;:&quot;s3:*&quot;,&quot;Resource&quot;:&quot;arn:aws:s3:::*&quot;}}&#39;&#39;&#39;</span>

<span class="n">response</span> <span class="o">=</span> <span class="n">iam_client</span><span class="o">.</span><span class="n">put_role_policy</span><span class="p">(</span>
    <span class="n">RoleName</span><span class="o">=</span><span class="s1">&#39;S3Access&#39;</span><span class="p">,</span>
    <span class="n">PolicyName</span><span class="o">=</span><span class="s1">&#39;Policy1&#39;</span><span class="p">,</span>
    <span class="n">PolicyDocument</span><span class="o">=</span><span class="n">role_policy</span>
<span class="p">)</span>

<span class="n">sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;sts&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span><span class="o">=&lt;</span><span class="n">access_key</span> <span class="n">of</span> <span class="n">TESTER1</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">aws_secret_access_key</span><span class="o">=&lt;</span><span class="n">secret_key</span> <span class="n">of</span> <span class="n">TESTER1</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">STS</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">,</span>
<span class="p">)</span>

<span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="n">assume_role_with_web_identity</span><span class="p">(</span>
<span class="n">RoleArn</span><span class="o">=</span><span class="n">role_response</span><span class="p">[</span><span class="s1">&#39;Role&#39;</span><span class="p">][</span><span class="s1">&#39;Arn&#39;</span><span class="p">],</span>
<span class="n">RoleSessionName</span><span class="o">=</span><span class="s1">&#39;Bob&#39;</span><span class="p">,</span>
<span class="n">DurationSeconds</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span>
<span class="n">WebIdentityToken</span><span class="o">=&lt;</span><span class="n">Web</span> <span class="n">Token</span><span class="o">&gt;</span>
<span class="p">)</span>

<span class="n">s3client</span> <span class="o">=</span> <span class="n">boto3</span><span class="o">.</span><span class="n">client</span><span class="p">(</span><span class="s1">&#39;s3&#39;</span><span class="p">,</span>
<span class="n">aws_access_key_id</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;AccessKeyId&#39;</span><span class="p">],</span>
<span class="n">aws_secret_access_key</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;SecretAccessKey&#39;</span><span class="p">],</span>
<span class="n">aws_session_token</span> <span class="o">=</span> <span class="n">response</span><span class="p">[</span><span class="s1">&#39;Credentials&#39;</span><span class="p">][</span><span class="s1">&#39;SessionToken&#39;</span><span class="p">],</span>
<span class="n">endpoint_url</span><span class="o">=&lt;</span><span class="n">S3</span> <span class="n">URL</span><span class="o">&gt;</span><span class="p">,</span>
<span class="n">region_name</span><span class="o">=</span><span class="s1">&#39;&#39;</span><span class="p">,)</span>

<span class="n">bucket_name</span> <span class="o">=</span> <span class="s1">&#39;my-bucket&#39;</span>
<span class="n">s3bucket</span> <span class="o">=</span> <span class="n">s3client</span><span class="o">.</span><span class="n">create_bucket</span><span class="p">(</span><span class="n">Bucket</span><span class="o">=</span><span class="n">bucket_name</span><span class="p">)</span>
<span class="n">resp</span> <span class="o">=</span> <span class="n">s3client</span><span class="o">.</span><span class="n">list_buckets</span><span class="p">()</span>
</pre></div>
</div>
</div>
<div class="section" id="how-to-obtain-thumbprint-of-an-openid-connect-provider-idp">
<h2>How to obtain thumbprint of an OpenID Connect Provider IDP<a class="headerlink" href="#how-to-obtain-thumbprint-of-an-openid-connect-provider-idp" title="Permalink to this headline">¶</a></h2>
<p>1. Take the OpenID connect provider’s URL and add /.well-known/openid-configuration
to it to get the URL to get the IDP’s configuration document. For example, if the URL
of the IDP is <a class="reference external" href="http://localhost:8000/auth/realms/quickstart">http://localhost:8000/auth/realms/quickstart</a>, then the URL to get the
document from is <a class="reference external" href="http://localhost:8000/auth/realms/quickstart/.well-known/openid-configuration">http://localhost:8000/auth/realms/quickstart/.well-known/openid-configuration</a></p>
<p>2. Use the following curl command to get the configuration document from the URL described
in step 1:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>   <span class="n">curl</span> <span class="o">-</span><span class="n">k</span> <span class="o">-</span><span class="n">v</span> \
     <span class="o">-</span><span class="n">X</span> <span class="n">GET</span> \
     <span class="o">-</span><span class="n">H</span> <span class="s2">&quot;Content-Type: application/x-www-form-urlencoded&quot;</span> \
     <span class="s2">&quot;http://localhost:8000/auth/realms/quickstart/.well-known/openid-configuration&quot;</span> \
   <span class="o">|</span> <span class="n">jq</span> <span class="o">.</span>

<span class="mf">3.</span> <span class="n">From</span> <span class="n">the</span> <span class="n">response</span> <span class="n">of</span> <span class="n">step</span> <span class="mi">2</span><span class="p">,</span> <span class="n">use</span> <span class="n">the</span> <span class="n">value</span> <span class="n">of</span> <span class="s2">&quot;jwks_uri&quot;</span> <span class="n">to</span> <span class="n">get</span> <span class="n">the</span> <span class="n">certificate</span> <span class="n">of</span> <span class="n">the</span> <span class="n">IDP</span><span class="p">,</span>
<span class="n">using</span> <span class="n">the</span> <span class="n">following</span> <span class="n">code</span><span class="p">::</span>
    <span class="n">curl</span> <span class="o">-</span><span class="n">k</span> <span class="o">-</span><span class="n">v</span> \
     <span class="o">-</span><span class="n">X</span> <span class="n">GET</span> \
     <span class="o">-</span><span class="n">H</span> <span class="s2">&quot;Content-Type: application/x-www-form-urlencoded&quot;</span> \
     <span class="s2">&quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/certs&quot;</span> \
     <span class="o">|</span> <span class="n">jq</span> <span class="o">.</span>
</pre></div>
</div>
<p>3. Copy the result of “x5c” in the response above, in a file certificate.crt, and add
‘—–BEGIN CERTIFICATE—–’ at the beginning and “—–END CERTIFICATE—–”
at the end.</p>
<ol class="arabic" start="4">
<li><p>Use the following OpenSSL command to get the certificate thumbprint:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl</span> <span class="n">x509</span> <span class="o">-</span><span class="ow">in</span> <span class="n">certificate</span><span class="o">.</span><span class="n">crt</span> <span class="o">-</span><span class="n">fingerprint</span> <span class="o">-</span><span class="n">noout</span>
</pre></div>
</div>
</li>
<li><p>The result of the above command in step 4, will be a SHA1 fingerprint, like the following:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">SHA1</span> <span class="n">Fingerprint</span><span class="o">=</span><span class="n">F7</span><span class="p">:</span><span class="n">D7</span><span class="p">:</span><span class="n">B3</span><span class="p">:</span><span class="mi">51</span><span class="p">:</span><span class="mi">5</span><span class="n">D</span><span class="p">:</span><span class="n">D0</span><span class="p">:</span><span class="n">D3</span><span class="p">:</span><span class="mi">19</span><span class="p">:</span><span class="n">DD</span><span class="p">:</span><span class="mi">21</span><span class="p">:</span><span class="mi">9</span><span class="n">A</span><span class="p">:</span><span class="mi">43</span><span class="p">:</span><span class="n">A9</span><span class="p">:</span><span class="n">EA</span><span class="p">:</span><span class="mi">72</span><span class="p">:</span><span class="mi">7</span><span class="n">A</span><span class="p">:</span><span class="n">D6</span><span class="p">:</span><span class="mi">06</span><span class="p">:</span><span class="mi">52</span><span class="p">:</span><span class="mi">87</span>
</pre></div>
</div>
</li>
</ol>
<p>6.  Remove the colons from the result above to get the final thumbprint which can be as input
while creating the OpenID Connect Provider entity in IAM:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">F7D7B3515DD0D319DD219A43A9EA727AD6065287</span>
</pre></div>
</div>
</div>
<div class="section" id="roles-in-rgw">
<h2>Roles in RGW<a class="headerlink" href="#roles-in-rgw" title="Permalink to this headline">¶</a></h2>
<p>More information for role manipulation can be found here
<a class="reference internal" href="../role/"><span class="doc">角色</span></a>.</p>
</div>
<div class="section" id="openid-connect-provider-in-rgw">
<h2>OpenID Connect Provider in RGW<a class="headerlink" href="#openid-connect-provider-in-rgw" title="Permalink to this headline">¶</a></h2>
<p>More information for OpenID Connect Provider entity manipulation
can be found here
<a class="reference internal" href="../oidc/"><span class="doc">OpenID Connect Provider in RGW</span></a>.</p>
</div>
<div class="section" id="keycloak-integration-with-radosgw">
<h2>Keycloak integration with Radosgw<a class="headerlink" href="#keycloak-integration-with-radosgw" title="Permalink to this headline">¶</a></h2>
<p>Steps for integrating Radosgw with Keycloak can be found here
<a class="reference internal" href="../keycloak/"><span class="doc">Keycloak integration with RadosGW</span></a>.</p>
</div>
<div class="section" id="stslite">
<h2>STSLite<a class="headerlink" href="#stslite" title="Permalink to this headline">¶</a></h2>
<p>STSLite has been built on STS, and documentation for the same can be found here
<a class="reference internal" href="../STSLite/"><span class="doc">STS Lite</span></a>.</p>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../STSLite/" class="btn btn-neutral float-right" title="STS Lite" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../layout/" class="btn btn-neutral float-left" title="Rados 网关的数据布局" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>